On 22/08/14 18:13, Nicolai Josuttis wrote: > to deal with faked keys, some guys had the idea to use > email verification and let then certification servers > take that as "casual signing".
I take it that a 'faked key' in this context is one associated with an unverified email address. If I send an encrypted message to that email address, two possible outcomes occur to me : - the email address belongs to some other person who does not control the key and he can't open it. Not much problem here. My secret remains hidden. - the email address belongs to a person who does control the key and he may or may not be the person named in the email address. I am risking my secrets with an unknown person. I had better take care of the nature of those secrets. It looks like this is the case covered by your original post. What extra security does a key server certification give in this case ? It just says that if you use this key with this email address, the email will be delivered to someone who controls both the address and the key. In any case, there is always the possibility that this 'certified' person or key is actually controlled by someone else. I have difficulty in seeing what additional security is provided by a casual signature, given by a key-server or by any other party. Philip
0x23543A63.asc
Description: application/pgp-keys
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users